Page MenuHomePhabricator

D9878.id34128.diff
No OneTemporary

D9878.id34128.diff

diff --git a/services/search-index-lambda/.gitignore b/services/search-index-lambda/.gitignore
new file mode 100644
--- /dev/null
+++ b/services/search-index-lambda/.gitignore
@@ -0,0 +1 @@
+/target
\ No newline at end of file
diff --git a/services/terraform/modules/shared/opensearch.tf b/services/terraform/modules/shared/opensearch.tf
--- a/services/terraform/modules/shared/opensearch.tf
+++ b/services/terraform/modules/shared/opensearch.tf
@@ -13,9 +13,8 @@
to_port = 443
protocol = "tcp"
- cidr_blocks = [
- var.cidr_block
- ]
+ cidr_blocks = ["0.0.0.0/0"]
+ security_groups = ["${aws_security_group.search_index_lambda.id}"]
}
tags = {
@@ -37,7 +36,7 @@
security_group_ids = var.is_dev ? [] : [aws_security_group.identity-search[0].id]
}
-
+
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
diff --git a/services/terraform/modules/shared/outputs.tf b/services/terraform/modules/shared/outputs.tf
--- a/services/terraform/modules/shared/outputs.tf
+++ b/services/terraform/modules/shared/outputs.tf
@@ -4,6 +4,7 @@
aws_dynamodb_table.backup-service-backup,
aws_dynamodb_table.reports-service-reports,
aws_dynamodb_table.tunnelbroker-undelivered-messages,
+ aws_dynamodb_table.identity-users,
]
}
@@ -15,7 +16,6 @@
}
}
-
output "opensearch_domain_identity" {
value = aws_opensearch_domain.identity-search
}
diff --git a/services/terraform/modules/shared/search_index_lambda.tf b/services/terraform/modules/shared/search_index_lambda.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/modules/shared/search_index_lambda.tf
@@ -0,0 +1,54 @@
+variable iam_role_arn {
+ default = "arn:aws:iam::000000000000:role/lambda-role"
+}
+
+variable lambda_zip_dir {
+ type = string
+ default = "../../search-index-lambda/target/lambda/search-index-lambda"
+}
+
+resource "aws_lambda_function" "search_index_lambda" {
+ function_name = "search-index-lambda-function"
+ filename = "${var.lambda_zip_dir}/bootstrap.zip"
+ source_code_hash = filebase64sha256("${var.lambda_zip_dir}/bootstrap.zip")
+ handler = "bootstrap"
+ role = var.iam_role_arn
+ runtime = "provided.al2"
+ architectures = ["arm64"]
+ timeout = 300
+
+ vpc_config {
+ subnet_ids = var.subnet_ids
+ security_group_ids = [aws_security_group.search_index_lambda.id]
+ }
+
+ environment {
+ variables = {
+ RUST_BACKTRACE = "1"
+ OPENSEARCH_ENDPOINT = aws_opensearch_domain.identity-search.endpoint
+ }
+ }
+
+ tracing_config {
+ mode = "Active"
+ }
+}
+
+resource "aws_lambda_event_source_mapping" "trigger" {
+ count = var.is_dev ? 0 : 1
+ event_source_arn = aws_dynamodb_table.identity-users.stream_arn
+ function_name = aws_lambda_function.search_index_lambda.arn
+ starting_position = "LATEST"
+}
+
+resource "aws_security_group" "search_index_lambda" {
+ name = "search_index_lambda_sg"
+ vpc_id = var.vpc_id
+
+ egress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -196,6 +196,106 @@
}
+data "aws_iam_policy_document" "assume_identity_search_role" {
+ statement {
+ effect = "Allow"
+
+ principals {
+ type = "Service"
+ identifiers = ["lambda.amazonaws.com"]
+ }
+
+ actions = ["sts:AssumeRole"]
+ }
+}
+
+resource "aws_iam_role" "search_index_lambda_role" {
+ name = "search_index_lambda_role"
+ assume_role_policy = data.aws_iam_policy_document.assume_identity_search_role.json
+
+ managed_policy_arns = [
+ aws_iam_policy.manage_cloudwatch_logs.arn,
+ aws_iam_policy.opensearch_domain_access.arn,
+ aws_iam_policy.read_identity_users_stream.arn,
+ ]
+}
+
+data "aws_iam_policy_document" "opensearch_domain_access" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "es:ESHttpHead",
+ "es:ESHttpPost",
+ "es:ESHttpGet",
+ "es:ESHttpDelete",
+ "es:ESHttpPut",
+ ]
+ resources = [
+ module.shared.opensearch_domain_identity.arn,
+ "${module.shared.opensearch_domain_identity.arn}/*"
+ ]
+ }
+}
+
+resource "aws_iam_policy" "opensearch_domain_access" {
+ name = "opensearch-domain-access"
+ path = "/"
+ description = "IAM policy for accessing opensearch domain"
+ policy = data.aws_iam_policy_document.opensearch_domain_access.json
+}
+
+data "aws_iam_policy_document" "read_identity_users_stream" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "dynamodb:GetRecords",
+ "dynamodb:GetShardIterator",
+ "dynamodb:DescribeStream",
+ "dynamodb:ListStreams",
+ ]
+ resources = [
+ module.shared.dynamodb_tables["identity-users"].arn,
+ module.shared.dynamodb_tables["identity-users"].stream_arn,
+ "${module.shared.dynamodb_tables["identity-users"].arn}/stream/*",
+ ]
+ }
+}
+
+resource "aws_iam_policy" "read_identity_users_stream" {
+ name = "read-identity-users-stream"
+ path = "/"
+ description = "IAM policy for managing identity-users stream"
+ policy = data.aws_iam_policy_document.read_identity_users_stream.json
+}
+
+data "aws_iam_policy_document" "manage_cloudwatch_logs" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ ]
+
+ resources = ["arn:aws:logs:*:*:*"]
+ }
+}
+
+resource "aws_iam_policy" "manage_cloudwatch_logs" {
+ name = "manage-cloudwatch-logs"
+ path = "/"
+ description = "IAM policy for managing cloudwatch logs"
+ policy = data.aws_iam_policy_document.manage_cloudwatch_logs.json
+}
+
+resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
+ role = "${aws_iam_role.search_index_lambda_role.name}"
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
data "aws_iam_policy_document" "identity-search" {
statement {
effect = "Allow"
diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf
--- a/services/terraform/remote/main.tf
+++ b/services/terraform/remote/main.tf
@@ -53,6 +53,7 @@
bucket_name_suffix = local.s3_bucket_name_suffix
vpc_id = aws_vpc.default.id
+ iam_role_arn = aws_iam_role.search_index_lambda_role.arn
cidr_block = aws_vpc.default.cidr_block
subnet_ids = [
aws_subnet.public_a.id,

File Metadata

Mime Type
text/plain
Expires
Thu, Nov 28, 10:59 AM (20 h, 25 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2593819
Default Alt Text
D9878.id34128.diff (6 KB)

Event Timeline